Next-generation AI-powered offensive security testing with GPT-5 and multi-agent orchestration
Tella AI is an advanced, fully autonomous offensive security testing platform that leverages cutting-edge AI (GPT-5) to conduct comprehensive security assessments. Built with an attacker's mindset, it combines clean architecture with powerful security testing capabilities.
- Orchestrator Agent: Coordinates all security testing activities
- Recon Agent: Performs comprehensive reconnaissance
- Scanner Agent: Identifies vulnerabilities systematically
- Exploiter Agent: Validates findings with proof-of-concept exploits
- Analyst Agent: Correlates and analyzes results
- Reporter Agent: Generates detailed security reports
- π Reconnaissance: Subdomain enumeration, OSINT, technology fingerprinting
- π‘ Port Scanning: Multi-technique port and service discovery
- π Vulnerability Detection: XSS, SQLi, CSRF, SSRF, and more
- π₯ Exploit Validation: Safe, controlled exploit testing
- π Real-time Monitoring: Live agent status and findings
- π Comprehensive Reporting: Detailed findings with remediation
- Backend: TypeScript, Node.js, GraphQL, Prisma
- Database: PostgreSQL
- Queue: Redis + BullMQ
- AI: OpenAI GPT-5 with function calling
- Frontend: Svelte with real-time updates
- Deployment: Docker & Docker Compose
- Node.js 18+
- PostgreSQL 15+
- Redis 7+
- OpenAI API Key (GPT-5 when available, currently uses GPT-4 Turbo)
- Docker & Docker Compose (for containerized deployment)
- Clone the repository:
git clone <repository-url>
cd tella- Generate secure
.envfile:
# Automated setup (recommended)
./scripts/generate-env.sh
# OR manually copy and edit
cp .env.docker .env
# Then edit .env and replace all placeholder values-
Configure environment variables in
.env:- Required: Set
JWT_SECRET(min 32 chars) - auto-generated by script - Required: Set
POSTGRES_PASSWORD- auto-generated by script - Optional: Add your
OPENAI_API_KEYfor AI features - Optional: Update
CORS_ORIGINfor production deployment
- Required: Set
-
Start the platform:
docker-compose up -d- Access the dashboard:
http://localhost:5173
Security Note: Never commit your .env file. The JWT_SECRET and POSTGRES_PASSWORD must be unique and secure in production!
- Install dependencies:
npm install- Set up database:
npm run prisma:migrate
npm run prisma:generate- Seed initial data (optional):
npm run db:seed- Start development server:
npm run dev-
Add a Target:
- Navigate to "Targets" in the sidebar
- Click "New Target"
- Enter target URL and details
- IMPORTANT: Only test authorized targets
-
Start a Scan:
- Go to "Scans"
- Click "New Scan"
- Select target and configure scan parameters
- Start the scan
-
Monitor Progress:
- View real-time agent activity
- Track task completion
- See findings as they're discovered
-
Review Findings:
- Navigate to "Findings"
- Filter by severity
- Export reports
GraphQL endpoint: http://localhost:4000/graphql
Example mutation to start a scan:
mutation StartScan {
createScan(
name: "Comprehensive Security Assessment"
targetId: "target-uuid"
config: {
depth: "comprehensive"
scanTypes: ["recon", "vuln_scan", "exploit"]
}
) {
id
status
}
}βββββββββββββββββββββββββββββββββββββββββββββββββββ
β Tella AI Platform β
βββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β ββββββββββββββββ ββββββββββββββββ β
β β Svelte UI βββββββΊβ GraphQL API β β
β β Dashboard β β (Apollo) β β
β ββββββββββββββββ ββββββββ¬ββββββββ β
β β β
β ββββββββΌββββββββ β
β β Agent β β
β β Orchestrator β β
β ββββββββ¬ββββββββ β
β β β
β βββββββββββββββββββββββΌβββββββββ β
β β β β β
β ββββββΌβββββ ββββββΌβββββ βββββΌβββββ β
β β Recon β β Scanner β βExploiterβ β
β β Agent β β Agent β β Agent β β
β ββββββ¬βββββ ββββββ¬βββββ βββββ¬βββββ β
β β β β β
β ββββββββββββββΌβββββββββββββ β
β β β
β βββββββββΌβββββββββ β
β β Security Tools β β
β β (Recon, Scan, β β
β β Exploit) β β
β βββββββββ¬ββββββββββ β
β β β
β ββββββββββββββΌββββββββββββββ β
β β β β β
β ββββββΌβββββ ββββββΌβββββ ββββββΌβββββ β
β βPostgreSQLβ β Redis β β GPT-5 β β
β β DB β β Queue β β API β β
β ββββββββββββ βββββββββββ βββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββ
This platform is designed for AUTHORIZED security testing ONLY.
- β Only test systems you own or have explicit written permission to test
- β Follow responsible disclosure practices
- β Comply with all applicable laws and regulations
- β NEVER use for unauthorized access or malicious purposes
- β NEVER test production systems without proper authorization
By default, exploit testing runs in "safe mode" which validates vulnerabilities without causing damage. Aggressive testing requires explicit configuration and authorization.
The platform uses a comprehensive schema:
- Users & Auth: Role-based access control
- Targets: Systems under test
- Scans: Security assessment sessions
- Agents: AI agents performing tasks
- Tasks: Individual testing operations
- Findings: Discovered vulnerabilities
- Tools: Security testing tools
- Knowledge Base: AI agent training data
- Task coordination
- Strategic planning
- Progress monitoring
- Subdomain enumeration
- Technology fingerprinting
- OSINT gathering
- Certificate transparency
- Port scanning
- Vulnerability detection
- Configuration analysis
- Header inspection
- Exploit validation
- PoC development
- Attack chain testing
- GPT-5 integration (when available)
- Advanced exploit modules
- Custom security tool integration
- Report customization
- Multi-user collaboration
- Distributed scanning
- Machine learning for false positive reduction
This is a security-focused project. Contributions are welcome but must:
- Follow secure coding practices
- Include tests
- Not introduce vulnerabilities
- Respect ethical guidelines
This project is for educational and authorized security testing purposes only.
For issues, questions, or feature requests, please open an issue on GitHub.
Built with an attacker's mindset. Used responsibly. π‘οΈ